Audits for Compliance with HIPAA Privacy and Security Requirements Are on the Way - Are You Ready?

With the government gearing up for its HIPAA compliance audits, it’s a good time for covered entities and their business associates to do a HIPAA compliance checkup. The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) mandated the government to develop a plan to audit covered entities and their business associates for HIPAA compliance. The Office of Civil Rights, the governmental agency charged with HIPAA enforcement, is in its final stages of implementing this audit program and has hired KPMG to perform the audits. These audits are expected to commence in the next few months and KPMG is to complete audits of 150 organizations by December 31, 2012. The audits are initially expected to focus on covered entities. Each audit will include a site visit expected to span 2 to 5 days, depending on the complexity of the organization, which will consist of interviews with leadership and key personnel (e.g., Privacy Officer, CIO, medical records department director), an inspection of operations with respect to privacy and security, and an assessment of compliance with HIPAA privacy and security regulations and the organization’s HIPAA policies. At the conclusion of the audit, the audited organization will receive a final report describing the audit findings, with an emphasis on deficiencies and noncompliance and will be provided an opportunity to implement corrective actions. It is important to note that the government may initiate enforcement actions based on the audit findings; however, corrective actions may reduce or eliminate potential civil monetary penalties.

With these HIPAA compliance audits on the horizon and the OCR’s heightened efforts toward HIPAA enforcement, it is important that covered entities and business associates take proactive steps towards compliance. To prepare for these audits, we recommend taking the following steps to better position yourselves to demonstrate your HIPAA compliance to the government...

Thompson Coburn LLP |One US Bank Plaza | St. Louis, MO 63101 Audits for Compliance with HIPAA Privacy and Security Requirements Are on the Way -Are You Ready? With the government gearing up for its HIPAA compliance audits, it’s a good time for covered entities and their business associates to do a HIPAA compliance checkup. The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) mandated the government to develop a plan to audit covered entities and their business associates for HIPAA compliance. The Office of Civil Rights, the governmental agency charged with HIPAA enforcement, is in its final stages of implementing this audit program and has hired KPMG to perform the audits. These audits are expected to commence in the next few months and KPMG is to complete audits of 150 organizations by December 31, 2012. The audits are initially expected to focus on covered entities. Each audit will include a site visit expected to span 2 to 5 days, depending on the complexity of the organization, which will consist of interviews with leadership and key personnel (e.g., Privacy Officer, CIO, medical records department director), an inspection of operations with respect to privacy and security, and an assessment of compliance with HIPAA privacy and security regulations and the organization’s HIPAA policies. At the conclusion of the audit, the audited organization will receive a final report describing the audit findings, with an emphasis on deficiencies and noncompliance and will be provided an opportunity to implement corrective actions. It is important to note that the government may initiate enforcement actions based on the audit findings; however, corrective actions may reduce or eliminate potential civil monetary penalties. With these HIPAA compliance audits on the horizon and the OCR’s heightened efforts toward HIPAA enforcement, it is important that covered entities and business associates take proactive steps towards compliance. To prepare for these audits, we recommend taking the following steps to better position yourselves to demonstrate your HIPAA compliance to the government:  Ensure you have HIPAA privacy and security policies in place and that these policies are up to date, effective and enforced.  Perform a risk assessment of your organization's information security and set up reasonable safeguards as necessary.  Provide periodic training to personnel on your HIPAA policies and procedures.  Make sure that business associate agreements are in place with all business associates (e.g., IT vendors, coding consultants, billing companies, attorneys, auditors).  Update your Notice of Privacy Practices.  Perform ongoing monitoring of compliance with HIPAA privacy and security policies and take corrective actions if non-compliance or ineffective processes are detected.  When the organization’s HIPAA policies and procedures are violated or a data breach occurs, take appropriate and prompt corrective actions, and document the actions taken.-2 -Please contact your Thompson Coburn attorney or one of the attorneys in our Health Care Practice Group if you have any questions regarding HIPAA compliance or the new HIPAA compliance audit program. Allen D. Allred 314-552-6001 aallred@thompsoncoburn.com James L. Fogle 314-552-6035 jfogle@thompsoncoburn.com Evan Raskas Goldfarb 314-552-6198 egoldfarb@thompsoncoburn.com A. Jay Goldstein 312-580-2207 agoldstein@thompsoncoburn.com Milada R. Goturi 314-552-6057 mgoturi@thompsoncoburn.com James F. Gunn 314-552-6189 jgunn@thompsoncoburn.com Joyce Harris Hennessy 314-552-6165 jhennessy@thompsoncoburn.com Robert N. Kamensky 312-580-2247 rkamensky@thompsoncoburn.com Richard J. Lang 312-580-2220 rlang@thompsoncoburn.com Richard L. Lawton 314-602-6070 rlawton@thompsoncoburn.com Jan Paul Miller 314-552-6365 jmiller@thompsoncoburn.com Tonya M. Oliver 314-552-6119 toliver@thompsoncoburn.com Claire M. Schenk 314-552-6462 cschenk@thompsoncoburn.com Thompson Coburn LLP Chicago | St. Louis | Southern Illinois | Washington, D.C. www.thompsoncoburn.com This newsletter is intended for information only and should not be considered legal advice. If you desire legal advice for a particular situation you should consult an attorney. The ethical rules of some states require us to identify this as attorney advertising material. The choice of a lawyer is an important decision and should not be based solely upon advertisements.

Latest Posts

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.